Administration Reference

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Administrative Utilities

AquaLogic Enterprise Security includes a number of helpful administrative utilities. This section provides a reference to the following utilities:

Note: Configuration File Usage describes which configuration files are used by a particular utility.

In the syntax descriptions for these utilities:



This is the Policy Import tool, which you can use to import your policy files. Normally all the tool needs is a path to a valid policy loader configuration file. All the settings are listed in that file. You can use additional command line arguments to override the settings listed in the configuration file.

If you import a file that uses multi-byte characters, the file must be UTF-8 encoded.

As of AquaLogic Enterprise Security version 2.5, policy loading is now transactional: all policies are loaded, or none. In addition, the BLMContextManager API has been updated to include transactional methods.

For information about creating a policy loader configuration file, see Sample Configuration File in the Policy Managers Guide. For more information about running the Policy Import tool, see Running the Policy Import Tool and Understanding How the Policy Loader Works in the Policy Managers Guide.


ALES_ADMIN_HOME\bin\policyloader.bat <configuration_file> [-initial|-recover] [-load|-remove] [-help|-?|-usage]
ALES_ADMIN_HOME/bin/ <configuration_file> [-initial|-recover] [-load|-remove] [-help|-?|-usage]


The following options are supported:


Print USAGE and exit.


Run in initial mode. There should be no versioned files in the policy directory in this mode.


Run in recover mode to revert to an earlier policy set. There should be checkpoint files (generated automatically during a previous load) in the policy directory in this mode.


Run in policy load mode (default). Load policy from the files specified in the configuration file.


Run in policy remove mode. Remove the policies described in the files specified in the configuration file


>policyloader.bat MyAppPolicy.conf



Loads the admin policy. This tool does not take any arguments. It needs to be run only once per Administration Server installation. It needs to run after the database schema has been loaded. Once this is tool is run, it will set the correct policy that will allow the system user to access the Administration Console.







The Policy Propagation Import/Export tool. You can use this tool to propagate your policy from one environment to another, and to export SSM configuration data for use when an SCM is not associated with the SSM. An example would be moving policy from a development installation to a QA installation, or from a staging installation to a production deployment. You can also use policyIX to import and export policy data between ALES and AquaLogic Enterprise Repository.

If you import a file that uses multi-byte characters, the file must be UTF-8 encoded.

Exporting Policy

To use the policyIX tool to export policy, pass it an XML configuration file that basically specifies the top level resource node you want to export. The tool determines all the related policy elements that are related to that resource and its leaf nodes. When you import the exported file in another environment, the policyIX tool creates a replica of the original resource tree with accompanying policy.

Exporting Configuration Data

The PolicyIX tool allows you to export configuration data (configured either through the ALES Administration Console, or directly via the BLM API) for a given SSM to an XML file, and use it with the configured SSMs when the SCM is not available.

To use the tool to export SSM configuration data, pass it the SSM configuration ID to export, the exportConfig parameter, the config.xml file and, optionally, the name of the exported XML file.

PolicyIX uses the existing settings for the SSL infrastructure, specified during the Administration server installation, to sign the exported configuration files. Specifically, the PolicyIX.bat file invokes the tool with -Dales.policyTool.signer=wles-admin. The ales.policyTool.signer property is a required Java property that specifies the alias of the signing key in the identity keystore, which must be equal to the Administration server machine name.

The public key of the Administration server is then retrieved from the SSL peer keystore for the purpose of validating the configuration file’s signature. This public key is available from the Administration server’s certificate, which was added to the SSL peer keystore during the enrollment process.

The unencoded signature of the XML file is stored in a corresponding signature file, whose name is derived from the full name of the signed XML file (including extension) with the added .sig extension. For example, myconfig.xml.sig.

After you export the configuration data, you must manually copy the XML configuration file and signature file to the SSM configuration directory, BEA_HOME/ales30-ssm/<ssm-type>/instance-name/config.

If you do not use the default name (wles.securityrealm.xml) for this configuration file, set the wles.realm.filename property in the BEA_HOME/ales30-ssm/<ssm-type>/instance-name/config/ file. See Installing an SSM Without an Associated SCM in Installing Security Service Modules for additional information about the file.


ALES_ADMIN_HOME\bin\policyIX.bat <-import|-export> <config.xml> <policy.xml> [-passwdPrompt]
ALES_ADMIN_HOME\bin\policyIX.bat <exportID> <-exportConfig> <config.xml> [exportName] [-passwdPrompt]
ALES_ADMIN_HOME/bin/ <-import|-export> <config.xml> <policy.xml> [-passwdPrompt]
ALES_ADMIN_HOME/bin/ <exportID> <-exportConfig> <config.xml> [exportName][-passwdPrompt]



Run the tool in policy import mode.


Run the tool in policy export mode.


Command line parameter that specifies the SSM configuration ID to export. This entry must match the SSM configuration ID that is specified when the SSM instance was created on the server machine. The configuration ID is the means by which the SSM receives it configuration. If -exportConfig is specified, the exportID is required and must be in the first position.


Command line parameter that instructs PolicyIX to export the SSM configuration. If -exportConfig is specified it must be in the second position.


Command line parameter that specifies the name of the exported XML file. If it is not provided, wles.securityrealm.xml is used by default. If -exportConfig is specified exportName is optional, but must be in the forth position if present.
The default name for this configuration file is wles.securityrealm.xml. If you do not use the default name, set the wles.realm.filename property in the file.


This configuration file contains BLM configuration and import or export configuration detail. If you run policyIX in import mode, then the configuration file may also contain policy data to be imported. A sample policyIX configuration file can be found at ALES_ADMIN_HOME/config/policyIX_config.xml. See Table 2-1 and the comments in the sample policyIX_config.xml file for information about the values to include in your configuration file.

Table 2-1 Configuration File Elements
Children or Attribute Examples
The parent or container element.
Container element.
Contains either one export_configuration or one import_configuration element, plus one blm_configuration element and optionally one aler_configuration element.
Used if -export switch is used for the policyIX tool
Contains one clipping_resource element and one target_ssm_version element.
The clipping Resource node. All related policy elements will be exported.
Specifies the Resource node to be exported. For example:
<clipping_resource value="//app/policy"/>
The version of the SSM to use the export configuration.
Used to specify the release version of the SSM using this configuration.
For pre-3.0 versions, use 2.x. For 3.0 and later versions, use 3.x. Examples:
<target_ssm_version value="2.x"/>
<target_ssm_version value="3.x"/>
Used if -import switch is used for the policyIX tool
Contains one policy_load_procedure element.
Specifies how to handle existing policies.
Possible values:
  • override - Add policy to already existing policy
  • delete_existing - Delete the policy being imported from destination before importing new policy
Container for elements that specify how to connect to ALES.
Contains multiple blm_property elements.
Name/value pairs that specify how to connect to ALES.
Possible property names and values are:
  • server_ip - Machine name or IP address of server running BLM
  • server_port - Port of the BLM server. Default is normally the Admin Console SSL port +1.
  • userID - ALES Admin username. Default is system.
  • userPassword - Can also be provided at the command prompt by using the -passwdPrompt option. Default is weblogic.
  • print_info - If set to true, then BLMAlreadyExists exceptions and exceptions related to removing Rules will be sent to standard console output.
Container for elements that specify how to connect to AquaLogic Enterprise Repository (ALER). Used only with -exportToALER or -importFromALER options.
Contains multiple aler_property elements.
Name/value pairs that specify how to connect to ALER.
Possible property names and values are:
  • server_url - ALER connection URL
  • username - user name to use to connect to ALER
  • userPassword - user password to connect to ALER
  • assetDescription - A description of the asset, only used when the asset is submitted
  • assetName - name of the asset to export or import
  • importAssetVersion - Asset version to import, only valid if the -importFromALER policyIX option is used.


If you run policyIX in export mode, then policy data will be exported into this file. If you run policyIX in import mode and the XML configuration file does not contain policy data, then this file will contain policy configuration and data to be imported.


If you use this option, the admin password will be read from command line.


Export data directly from ALES to ALER based on configuration parameters in the config.xml file. To export data to ALER from a policy file, specify the pathname of the file. If a policy file is specified, no connection is made to ALES.


Import policy data directly from ALER to ALES based on configuration parameters in the config.xml file. To import data from ALER to a policy file, specify the pathname of the file. If a policy file is specified, no connection is made to ALES.


To export a policy to a file:

policyIX.bat – export MyServer1ExportConfig.xml MyPolicy.xml

To export an SSM configuration:

policyIX.bat exportID -exportConfig MyServer1ExportConfig.xml MySSM.xml

To import a policy from a file:

policyIX.bat – import MyServer2ImportConfig.xml MyPolicy.xml

To export a policy node to AquaLogic Enterprise Repository:

policyIX.bat -exportToALER config.xml

To import policy data from AquaLogic Enterprise Repository:

policyIX -importFromALER config.xml



Export ALES policy data from a database server to a directory in policyloader format. The tool requires an empty directory into which it will export the files and that directory must exist before running the tool. Any existing policy files in that directory will replaced or deleted. On UNIX, the program will prompt for each input, and then user can input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.


ALES_ADMIN_HOME\bin\policyexporter.bat [directory]



Directory path to which the files will be exported. Use to export to the current directory.


>policyexporter.bat c:\MyPolicy



Installs the ALES policy database schema into the database server. If the schema already exists, it will be replaced, including existing policy. On UNIX, the program prompts you to input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.


ALES_ADMIN_HOME\bin\install_ales_schema.bat <db-username> <db-password> 



Login ID, usually same as owner


Password for the db-username


>install_ales_schema.bat username password



A secure password utility tool. Encrypts the password with the key and saves it using based64 encoding into the password file with corresponding alias. You can use this tool to store or update the password for the system user or the database user. The ASIAuthorizer and BLM both look into the password.xml for the correct password to connect to the ALES database.


ALES_ADMIN_HOME\bin\asipassword.bat <alias> [passwordFilename] [keyFilename]
ALES_ADMIN_HOME/bin/ <alias> [passwordFilename] [keyFilename]



The alias for the password, often the username.


The filename for the xml password file. The default (BEA_HOME/ales30-shared/keys/password.xml) is used if you do not supply a different value for this option.


The filename for the password key file. The default (BEA_HOME/ales30-shared/keys/password.key) is used if you do not supply a different value for this option.


This command is issued from the /bin directory:

asipassword system ../keys/password.xml ../keys/password.key



Sends an action command to the server via a Web Service interface.


ALES_ADMIN_HOME\bin\asisignal.bat -url server_url [-action ping|comtest|wait|waitready|status] [-msg msg_to_log] [-reps 1] [-interval 1000] [-?] [-dbg]
ALES_ADMIN_HOME/bin/  -url server_url [-action ping|comtest|wait|waitready|status] [-msg msg_to_log] [-reps 1] [-interval 1000] [-?] [-dbg] 


-action ping, comtest

Send a simple SOAP call to the server, and see if server returns a valid SOAP result.

-action status

Get the server status. Could be INITING or READY.

-action wait

Continuously ping the server until the server replies. If you use this option together with the -reps option, sends ping until the server replies or the number of pings specified by the -reps option has been sent.

-action waitready

Like wait, but waits for the server to reach READY status, not just to respond to the SOAP communication.


The Managed Server SOAP service URL (endpoint), usually ends with /ManagedServer. For example, https://host:7011/ManagedServer.


The message used by the log action to send to the server.


Repeat count. Used with the -wait and -waitready actions.


Sleep interval between each action, in milliseconds. Default is 1000 msecs (1s).


Print a help message.


Turn on debug for this utility.


Ping the BLM Server running on the default port:

>asisignal.bat – action ping – url https://host:7011/ManagedServer



A utility to translate policy rules from the ALES ASIAuthorizer format to XACML. It reads ALES policies from an input file in policyloader format, translates ALES rules to XACML, and stores the XACML rules to an output file.


ALES_ADMIN_HOME\bin\policy2XACML.bat [-in filename] [-out filename] [-?]
ALES_ADMIN_HOME/bin/ [-in filename] [-out filename] [-?]



The input policy file name. If no input file is provided, read standard input, until EOF is detected.


The output policy file name. If no output file is provided, print to standard output.


>policy2XACML.bat – in rule – out rule.xacml



Note: This tool has been deprecated and removed in this release of ALES.

Enrolls an SCM instance by acquiring security certificates from the associated ALES Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments in the Administration and Deployment Guide for more information). Before enrolling an SCM instance, make sure that the ALES Administration Server is running.


ALES_SCM_HOME\bin\enrolltool.bat <demo|secure>
ALES_SCM_HOME/bin/ <demo|secure>



Enrolls the SCM instance and verifies the Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory ALES_SCM_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.


Enrolls the SCM instance and verifies the Administration Server certificate using a CA certificate from the trust.jks key store in directory ALES_SCM_HOME/ssl. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.

Menu Options

When the tool is started, it displays the following menu options.

  1. Show Enrolled Domains
  2. Show Un-enrolled Domains
  3. Register Domain
  4. Unregister Domain
  5. Enroll
  6. Un-enroll
  7. Exit

Below you will find the explanations for each option.

  1. Show Enrolled Domains shows the list of all enrolled security domains including the following information for each of the domains:
    • URLs of primary and secondary policy distributors (BLM),
    • public and private ports of the SCM instance, and
    • the name of the SCM instance.
  2. Show Un-enrolled Domains shows the list of all un-enrolled domains including the following information for each of the domains:
    • URLs of primary and secondary policy distributors (BLM),
    • public and private ports of the SCM instance, and
    • the name of the SCM instance.
  3. Register Domain registers a new enterprise security domain. You must enter the following data about the domain:
    • the domain name,
    • the URLs of the primary and secondary Administration Severs,
    • listening port number and
    • name of the SCM instance.
    • The new data is stored in the ALES_SCM_HOME\config\ file. Initially, the new domain is un-enrolled. You must enroll it by selecting Option 1 of the menu.

  4. Unregister Domain unregisters an enterprise security domain. The domain must be un-enrolled before it can be unregistered. You can un-enroll a domain by selecting Option 6 of the menu.
  5. Enroll enrolls the SCM instance associated with the chosen security domain. You will be asked for the administrator’s username and password to access the administration server. If the SCM is enrolled the first time, you will be asked to enter passwords for the SCM certificate private key and for key stores being generated by the tool.
  6. Un-enroll un-enrolls the SCM instance associated with the chosen security domain. You will be asked for the administrator’s username and password to access the administration server.


>enrolltool demo



Note: This tool has been deprecated. In this release of ALES it applies only to the Web Server SSM.

Enrolls an SSM instance by acquiring security certificates from the associated Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments for more information). Before enrolling an SSM instance, make sure that the ALES Administration Server is running.

During the enrollment process, you will be asked for the administrator’s username and password to connect to the ALES Administration Server. If the SSM is enrolled the first time, you will be asked to enter passwords for the SSM certificate private key and for key stores being generated by the tool.


SSM_INSTANCE_HOME\adm\enroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/ <demo|secure>



Enrolls the SSM instance and verifies Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.


Enrolls the SSM instance and verifies the Administration Server certificate using trusted CA certificates from the file cacerts in directory BEA_HOME/jdk-version/jre/lib/security. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.


>enroll demo



Note: This tool has been deprecated. It this release of ALES it applies only to the Web Server SSM.

Un-enrolls an SSM instance. As the result of the un-enrollment, the SSM identity certificate will be removed from the trusted-peer key stores of servers the SSM communicates to. Before un-enrolling an SSM instance, make sure that the ALES Administration Server is running.

During the un-enrollment process, you will be asked for the administrator’s username and password to connect to the ALES administration server.


SSM_INSTANCE_HOME\adm\unenroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/ <demo|secure>



Un-enrolls the SSM instance and verifies the Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store . If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.


Un-enrolls the SSM instance and verifies the Administration Server certificate using trusted CA certificates from the file cacerts in directory BEA_HOME/jdk-version/jre/lib/security. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.


>unenroll demo


Configuration File Usage

All ALES configuration files are currently shipped in the config directory of the Admin, SCM, and SSM instance. This section describes which tools use the various configuration files, and for what purpose.

Administration Server Configuration Files

Table 2-2 describes which configuration files are required for which tools on an AquaLogic Enterprise Security Administration Server installation.

Table 2-2 Admin Configuration Files
Config File
Admin Examples
This file is set up like a Java properties file and can be read to determine the input parameters selected during the install of the Admin Server.
Admin installer when run in silent mode
This silent_install_admin.xml file captures the input parameters selected during the install of the Admin Server. This file can later be used for doing silent installs for similar configurations.
The annotation_transform tool invokes the annotation_transform.xml ant script and gets its configuration from annotation_config.proerties. This tool is only needed when you have created annotated policy files via Eclipse.
The policyloader tool uses the file to initialize the BLM API, which it uses to communicate with the BLM server.
The policyIX_config.xml file needs to be updated before being used as input to the policyIX tool.
BLM WebApp
The file is used to configure the BLM WebApp. The BLM looks for this file based on the setting for the Java option ales.blm.home,and then in /config/WLESblm.propeties .
WebService interface to BLM
blm.wsdl and pd.wsdl
The WSDL files are needed to compile a Web service client that will be able to talk to the BLM server via SOAP messages.
The file contains the JDBC URL specified during install and is used by persistence layer to connect to the database.
set-wls-env.bat|sh (WLS 8.x)
WLESWeblogic.conf (WLS 8.x)
The file is referenced in the set-env files used when configuring an WebLogic 8.1 SSM. This file controls the log4j logging for the entire SSM.
set-wls-env.bat|sh (WLS 9.x\10.0)
WLESWeblogic.conf (WLS 9.x\10.0)
The file is similar to, but specific to when used for a WLS SSM.
This file is used to configure the ASI Authorization provider.
This file is used by the Wrapper tool that is used to start the WebLogic server.
This file is used by the Wrapper tool that is used to start the Tomcat server.
This asiadmin.xml file is used by the propagateInitialCache tool. The tool runs only for bootstrap purposes upon install to properly initialize the SCM and Admin SSM. It is automatically run as part of database schema install or via “WLESadmin.bat|sh init”.
The load.standardbase.conf file is used by the load_adminpolucy tool to load the initial Admin policy after a fresh install.
This file contains ALES configuration properties for an SSM. By default, the ALES runtime looks for a property file called '' in the working directory. Only applicable to SSM running on Tomcat and WLS8.x.
Can be used to determine the location of SCM and Admin install directories.
This file was the Naming Authority file used by the policyloader tool. It use of this file has now been deprecated and is no longer used.
This file controlled the log4j settings for the Java wrappers that were used for running BLM and ARME native processes. The use of this file has now been deprecated and is no longer used.

SCM Configuration Files

Table 2-3 describes which configuration files are used by the SCM install.

Table 2-3 SCM Configuration Files
Config File
This file is set up like a Java properties file and can be read to determine the input parameters selected during the install of the Admin Server.
This file is used by the Wrapper tool that is used to start the SCM server.
The file is referenced from the startup scripts of the tools.
Properties file for the SCM
Config file for the Phoenix Java container framework that is used for creating the SCM process.
Configures the security policy for the SCM Java process.

Note: The SCM process is also controlled by SCM_HOME/apps/scm-asi/SAR-INF/config.xml. This file controls the various modules that make up the SCM process.

SSM Common Configuration Files

Table 2-4 describes which configuration files are used by the SSM instance. Most files are common between various types of SSM instances; those that are specific to an SSM are described in the explanation column. Most files are located in the config directory but when this is not the case the directory is listed.

Table 2-4 Common SSM Config Files
Config File
This file is set up like a Java properties file and can be read to determine the input parameters selected during the install of the SSM. Unlike most other files, this file is located in the SSM_HOME/adm directory.
This silent_install.xml file captures the input parameters selected during the install of the SSM. This file can later be used for doing silent installs for similar configurations. Unlike most other files, this file is located in the SSM_HOME/adm directory.
SSM Examples
This file is set up like a java properties file and can be read to find out what were the input parameters selected during the install of the SSM and creation of the SSM instance. Unlike most other files, this file is located in the INSTANCE_HOME/adm directory.
SSM instance wizard when run in silent mode
This silent_instance_admin.xml file captures the input parameters selected during the install of the SSM and creation of the SSM instance. This file can later be used for doing silent installs for similar configurations. Unlike most other files, this file is located in the INSTANCE_HOME/adm directory.
The annotation_transform tool invokes the annotation_transform.xml ant script and gets its configuration from annotation_config.proerties. This tool is needed only when you have created an annotated policy files via Eclipse.
The policyloader uses the file to initialize the BLM API that it uses to communicate with the BLM server.
The policyIX_config.xml file needs to be updated before being used as input to policyIX tool.
The file is referenced from the startup scripts of the tools.
This file is used to configure the ASI Authorization provider.
Internal file used on Windows to control the shortcut menu items.
Can be used to determine the location of SCM and Admin install directories.
This file was the Naming Authority file used by the policyloader tool. The use of this file has now been deprecated and it is no longer used.
This file controlled the log4j settings for the Java wrappers that were used for running BLM and ARME native processes. The use of this file has now been deprecated and it is no longer used.

Web Serivce SSM Configuration Files

The files shown in Table 2-5 are specific to the Web Service SSM.

Table 2-5 Web Service SSM Configuration Files
Config File
XML schema and WSDL files that will be required when creating a WS SSM XACML client to connect to the WS SSM XACML WebService endpoint.
XML schema and WSDL files that will be required when creating a WS SSM client to connect to the WS SSM server.
This file is used by the Wrapper tool that is used to start the Web service server.
Properties file for the Web service server.
Config file for the Phoenix Java container framework that is used for creating the Web service Java process.
Configures the security policy for the Web service Java process.

WLS SSM Configuration Files

The files shown in Table 2-6 are specific to the WLS SSM.

Table 2-6 WLS SSM Configuration Files
Config File
ALES version of the LDIF Template file used by the WLS DefaultAuthorizer Provider. This file needs to be copied to the WLS domain if you plan to configure the WLS DefaultAuthorizer and ASI Authorizer providers together for the same SSM configuration.
XACMLAuthorizerInit.ldift (only WLS9.x\10.0)
ALES version of the LDIF Template file used by the WLS XACMLAuthorizer Provider. This file needs to be copied to the WLS domain if you plan to configure the WLS XACMLAuthorizer and ASI Authorizer providers together for the same SSM configuration.
This file is used by the Wrapper tool that can be used to start the WebLogic server.
Properties file for the WLS SSM server. Only applicable to SSM running WLS8.x.

  Back to Top       Previous  Next